If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Virus Throttling - The war begins

Many of you have heard me discuss how underground groups are looking to distribute worms faster than the time an organization has time to react. 2004 was the year of worm QA and we all participated in the process. Once worm writers get it right, there *will* be a worm with a destructive payload.

Anyway, some folks here PMed me saying that I was nothing more than a paranoid geek looking for "1337" status. Well for those who feel this way, have a look at this:

Software engineers at Hewlett-Packard are developing "virus-throttling" software to slow the spread of viruses and worms on the Internet by identifying suspicious behavior. HP chief technology officer Tony Redmond says, "Any worm or virus that depends on its ability to spread itself will be hurt by this technology." Alan Paller, director of research at the SANS Institute, says the overall idea "makes sense," and adds, "It's an arms race, not a simple war. I've been hearing people talk about the notion of throttling for a long time, and it's a spectacular idea if HP can get it to work." [*The Washington Post*, 30 Nov 2004; NewsScan Daily, 1 Dec 2004]http://www.washingtonpost.com/wp-dyn...2004Nov30.html

Finally we see conformation that vendors are trying to widen the reaction time window. Until now, all vendors have kept quiet about this. I feel vindicated.

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

For sure, the techniques described in [1] (As far as I understood, these are the same as
mentioned in the washington post article ?) are very promising (e.g. the plot (Fig.3) of
the nimba distribution as a function of time and the number of "throttling" machines).

In addition, I am wondering about how wide-ranged one can perform "virus-throttling"
on a "hardware"-level, like Cisco's (?) technique of NAT limiting[2] or different methods (?).

How many people (or companies) have already activated "virus-throttling" using
such (hardware-based) solutions, and, to which extent is this efficient to slow down
the distribution of worms? Any experience?
I apologize for the huge amount of question marks in this post

Personally, I think this is a band-aid and more of an approach that attempts to cure the symptom and not the root cause. There is no way to uniformly apply this technique across the internet. More over, when commercial interests are at the wheel and not an internet regulatory group, things tend to go to hell quickly.

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Re: Virus Throttling - The war begins

Software engineers at Hewlett-Packard are developing "virus-throttling" software to slow the spread of viruses and worms on the Internet by identifying suspicious behavior. HP chief technology officer Tony Redmond says, "Any worm or virus that depends on its ability to spread itself will be hurt by this technology." Alan Paller, director of research at the SANS Institute, says the overall idea "makes sense," and adds, "It's an arms race, not a simple war. I've been hearing people talk about the notion of throttling for a long time, and it's a spectacular idea if HP can get it to work.

Can you provide any additional information about how they plan to implement it.Slowing down the progress of a virus on internet sounds to be a good idea but what about implementation.
where do they plan to install those softwares?

As I said, the implementation is fuzzy at this point and I really feel that the only good thing that has come of this announcement is that the industry has fessed up and acknowledged that they have recognized the issue and are now attempting to deal with it. The problem, as I noted above, is that they are trying to cure the symptom and not the root cause.

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

You should feel vidicated, horse, and deservedly so. The changes in the types of malware I'm seeing, and the methods used to distribute and infect, bear you out.

I agree that HP's efforts are addressing a symptom, not the disease. However, if there is an effective method of identifying suspicious behavior and it can be included in switch and router firmware--I would welcome any reprieve that may provide. I'll welcome any tools that will help me keep the network running and give me a chance to respond to malware.

Maybe HP's efforts will prompt others to try working on other areas. The more people/organizations looking at the problem, the better chance we have of getting good solutions, instead of band-aids.